When Do You Need A PCI QSA Company?
There are a number of circumstances in which an organization may be required to engage a Payment Card Industry (PCI) Qualified Security Assessor (QSA) auditor and undergo a formal assessment of its compliance to the standard.
The definition of who must have a formal assessment performed is determined by card brand entities such as Visa, MasterCard and American Express, and by the acquiring banks and processors who service merchants. You might need a formal assessment if any of the following apply:
- You are a merchant doing a very large volume of transactions annually (more than six million) with MasterCard or Visa; American Express requires an assessment for 2.5 million American Express card transactions or more per year or any merchant that American Express otherwise deems as Level 1 merchant;
- You are a merchant doing a large volume of transactions annually (more than one million) with MasterCard and you do not have a PCI-trained internal assessor on staff;
- You are a merchant that has been breached in the past or otherwise is deemed to represent exceptional risk; and/or
- You are service provider to merchants that can impact the security of their payment transactions and you have access to a large volume of transactions annually.
These companies are required to undergo an audit and complete a Report on Compliance (ROC) for PCI DSS compliance assessed by approved QSAs according to the PCI Security Standards Council. You can also have an internal security resource perform an audit. However, if you choose an Internal Security Assessor (ISA) to assess your environment, you must ensure that they complete the PCI SSC ISA training and pass the annual ISA accreditation program.
Why use a PCI QSA Auditor?
For most merchants, achieving and maintaining PCI compliance is a time-consuming process that distracts from the daily activities of growing the business. If you don’t work with a QSA, you are leaving your business, your customers and your brand exposed to a possible data breach and ultimately more expenses.
QSA companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA employees are individuals who are employed by a QSA company and have satisfied and continue to satisfy all QSA requirements.
QSAs possess the network design experience and security training to conduct technically complex security assessments. The payment card technology environment, even for a small merchant, has evolved into a complex system that requires specific IT skills to ensure your security measures meet the ever changing PCI requirements. Consultants holding the QSA certification must re-certify annually to ensure they are conversant with any changes to the PCI-DSS requirements and guidelines.
Preparation before bringing in a QSA Auditor
Before bringing in a QSA to assess the security threats and potential non-compliance areas of a company, it should first perform a risk assessment. As part of a risk assessment the organization should determine the risk levels of each of its assets, such as hardware, software, and sensitive information.
Once the risk assessment is complete a company can take a closer look at its security policies and procedures. These make up a significant amount of the PCI DSS requirements. Leaders within the organization should examine their own procedures side by side with these requirements and make any changes needed to strengthen their security programs. In addition to this, any compliance gaps should be addressed before an assessment takes place.
Secondly, it is suggested that a company lay the groundwork before the QSA arrives. What that means is that they must do everything within their power to identify weaknesses within their own system by completing a self assessment of risk. It is in the best interests of companies to be completely honest with themselves about the gaps in their security. If a QSA has a headstart on where to look for those gaps, they are in a better position to help a company fix those issues even if they result in compliance violations. It is much better to identify those breaks in security than to have them revealed by a hacker.
The third point is for a company to involve all of the necessary employees in the assessment process. Another common miscalculation by managers is to limit how many employees interact with a QSA, perhaps thinking that certain of those employees lack the whole picture of the organization. Whatever the reason, it is always best that the QSA can study every aspect of the operation.
Finally, it is important for companies hiring a QSA not to treat them like an enemy. If a company does everything in its power to prepare for a QSA visit, the QSA becomes an ally. It is when managers put pressure on the QSA and themselves that mistakes are made and gaps are missed. It is in the best interests of a company to treat a QSA as a member of their team and give them everything they need to perform a quality assessment.
Selecting the right QSA
The first step is to choose a QSA company that is going to fit the needs of your company. Since companies can vary in several different way, including merchant level, it is important to select a QSA company that has experience assessing security needs similar to your company.
The right QSA can help identify and address security risks while meeting an organization’s specific needs and budget. A good QSA is able to translate concepts into business terms, giving the company a firm grasp on the PCI requirements and the impact they may have on the business.
Selecting a QSA that has the right knowledge and experience will not only ensure that you achieve and maintain compliance with the PCI DSS, it will also give you the peace of mind that you are able to reduce your risks and control your costs on an ongoing basis.
Ensure that you pick a company whose QSAs have adequate training and credentials. QSAs go through intense training to understand PCI DSS and data security. At ERMProtect, we have practical experience in application security, information systems security, network security, IT security auditing and information security risk assessment or risk management that will expedite the certification process.
Our QSAs possess one or more industry-recognized professional certifications in Information Security (e.g. Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM)) and/or Security Auditing (e.g. Certified Information Systems Auditor (CISA). These designations demonstrate a commitment to professional standards and continuing education that keeps him or her at the forefront of an ever-changing security landscape.
Once you choose the QSA
Once on board, the QSA performs an initial gap analysis of your PCI DSS compliance status. The analysis shows what controls you already have in place and what still needs to be implemented in order to be fully PCI DSS compliant. The QSA will then share feedback and remediation checklist items, which provides detailed insights of what is required.
The QSA would perform an onsite assessment to determine how your payment security currently stands. The QSA visits your location, conducts multiple interviews, and collects evidence related to your current PCI DSS compliance status. Both technical and operational components of the business are evaluated according to PCI DSS.
After the onsite assessment has been completed, your QSA provides initial feedback on your compliance status and the required remediation steps. Your QSA explains areas of non-compliance, provides guidance on how you can become compliant, and gives advice on retesting procedures.
Once you meet all the eligible PCI DSS requirements and the audit is complete, the QSA writes your PCI DSS compliance status in a Report on Compliance (RoC). After this document has been reviewed and finalized, the QSA will provide an Attestation of Compliance (AoC), which is a summary of the results of the assessment. You can submit the AoC to your clients as proof of PCI certification.
Get a curated briefing of the week's biggest cyber news every Friday.